From 2a64c4694800728272363592adefc1d3bc06cca7 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 06:03:58 -0500
Subject: [PATCH] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
CHANGELOG.md | 4 +
README.md | 137 +++++++++---------
chart/Chart.yaml | 6 +-
chart/Kptfile | 4 +-
chart/files/profile-ambient.yaml | 3 -
.../profile-compatibility-version-1.22.yaml | 16 +-
.../profile-compatibility-version-1.23.yaml | 23 +++
.../profile-compatibility-version-1.24.yaml | 11 ++
chart/files/profile-demo.yaml | 21 +++
chart/files/profile-platform-gke.yaml | 6 +
chart/files/profile-platform-k3d.yaml | 7 +
chart/files/profile-platform-k3s.yaml | 7 +
chart/files/profile-platform-microk8s.yaml | 7 +
chart/files/profile-platform-minikube.yaml | 6 +
chart/files/profile-platform-openshift.yaml | 19 +++
chart/files/profile-remote.yaml | 13 ++
chart/templates/_helpers.tpl | 11 --
chart/templates/deployment.yaml | 19 ++-
chart/templates/hpa.yaml | 2 +
chart/templates/poddisruptionbudget.yaml | 2 +
chart/templates/role.yaml | 4 +
chart/templates/service.yaml | 2 +
chart/templates/serviceaccount.yaml | 2 +
chart/templates/zzz_profile.yaml | 45 +++++-
chart/values.schema.json | 20 ++-
chart/values.yaml | 26 +++-
docs/DEVELOPMENT_MAINTENANCE.md | 93 ++++++++++--
27 files changed, 393 insertions(+), 123 deletions(-)
create mode 100644 chart/files/profile-compatibility-version-1.23.yaml
create mode 100644 chart/files/profile-compatibility-version-1.24.yaml
create mode 100644 chart/files/profile-platform-gke.yaml
create mode 100644 chart/files/profile-platform-k3d.yaml
create mode 100644 chart/files/profile-platform-k3s.yaml
create mode 100644 chart/files/profile-platform-microk8s.yaml
create mode 100644 chart/files/profile-platform-minikube.yaml
create mode 100644 chart/files/profile-platform-openshift.yaml
create mode 100644 chart/files/profile-remote.yaml
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 30e07a6..c8f44ee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
---
+## [1.25.0-bb.0] - 2024-03-18
+Changed
+- Updated to v1.25.0
+
## [1.23.3-bb.3] - 2024-02-13
### Added
diff --git a/README.md b/README.md
index 0e8d731..09e4c4b 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
<!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
# gateway
-   
+   
Helm chart for deploying Istio gateways
@@ -11,7 +11,7 @@ Helm chart for deploying Istio gateways
## Upstream Release Notes
-- [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.23.2/announcing-1.23.2)
+- [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.25.x/announcing-1.25)
## Learn More
@@ -41,71 +41,74 @@ helm install gateway chart/
| Key | Type | Default | Description |
|-----|------|---------|-------------|
-| defaults.name | string | `""` | |
-| defaults.revision | string | `""` | |
-| defaults.replicaCount | string | `nil` | |
-| defaults.kind | string | `"Deployment"` | |
-| defaults.rbac.enabled | bool | `true` | |
-| defaults.serviceAccount.create | bool | `true` | |
-| defaults.serviceAccount.annotations | object | `{}` | |
-| defaults.serviceAccount.name | string | `""` | |
-| defaults.podAnnotations."prometheus.io/port" | string | `"15020"` | |
-| defaults.podAnnotations."prometheus.io/scrape" | string | `"true"` | |
-| defaults.podAnnotations."prometheus.io/path" | string | `"/stats/prometheus"` | |
-| defaults.podAnnotations."inject.istio.io/templates" | string | `"gateway"` | |
-| defaults.podAnnotations."sidecar.istio.io/inject" | string | `"true"` | |
-| defaults.securityContext | object | `{}` | |
-| defaults.containerSecurityContext | object | `{}` | |
-| defaults.service.type | string | `"LoadBalancer"` | |
-| defaults.service.ports[0].name | string | `"tcp-status-port"` | |
-| defaults.service.ports[0].port | int | `15021` | |
-| defaults.service.ports[0].protocol | string | `"TCP"` | |
-| defaults.service.ports[0].targetPort | int | `15021` | |
-| defaults.service.ports[1].name | string | `"http2"` | |
-| defaults.service.ports[1].port | int | `80` | |
-| defaults.service.ports[1].protocol | string | `"TCP"` | |
-| defaults.service.ports[1].targetPort | int | `8080` | |
-| defaults.service.ports[2].name | string | `"https"` | |
-| defaults.service.ports[2].port | int | `443` | |
-| defaults.service.ports[2].protocol | string | `"TCP"` | |
-| defaults.service.ports[2].targetPort | int | `8443` | |
-| defaults.service.annotations | object | `{}` | |
-| defaults.service.loadBalancerIP | string | `""` | |
-| defaults.service.loadBalancerSourceRanges | list | `[]` | |
-| defaults.service.externalTrafficPolicy | string | `""` | |
-| defaults.service.externalIPs | list | `[]` | |
-| defaults.service.ipFamilyPolicy | string | `""` | |
-| defaults.service.ipFamilies | list | `[]` | |
-| defaults.resources.requests.cpu | string | `"100m"` | |
-| defaults.resources.requests.memory | string | `"128Mi"` | |
-| defaults.resources.limits.cpu | string | `"2000m"` | |
-| defaults.resources.limits.memory | string | `"1024Mi"` | |
-| defaults.autoscaling.enabled | bool | `true` | |
-| defaults.autoscaling.minReplicas | int | `1` | |
-| defaults.autoscaling.maxReplicas | int | `5` | |
-| defaults.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
-| defaults.autoscaling.targetMemoryUtilizationPercentage | object | `{}` | |
-| defaults.autoscaling.autoscaleBehavior | object | `{}` | |
-| defaults.env | object | `{}` | |
-| defaults.labels | object | `{}` | |
-| defaults.annotations | object | `{}` | |
-| defaults.nodeSelector | object | `{}` | |
-| defaults.tolerations | list | `[]` | |
-| defaults.topologySpreadConstraints | list | `[]` | |
-| defaults.affinity | object | `{}` | |
-| defaults.networkGateway | string | `""` | |
-| defaults.image.repo | string | `"registry1.dso.mil/ironbank/opensource/istio/proxyv2"` | |
-| defaults.image.tag | string | `"1.23.3"` | |
-| defaults.imagePullPolicy | string | `""` | |
-| defaults.imagePullSecrets[0].name | string | `"private-registry"` | |
-| defaults.podDisruptionBudget | object | `{}` | |
-| defaults.terminationGracePeriodSeconds | int | `30` | |
-| defaults.volumes | list | `[]` | |
-| defaults.volumeMounts | list | `[]` | |
-| defaults.priorityClassName | string | `""` | |
-| defaults.enterprise | bool | `false` | |
-| defaults.tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
-| defaults.tidTag | string | `"1.23.3-tetratefips-v0"` | |
+| _internal_defaults_do_not_set.name | string | `""` | |
+| _internal_defaults_do_not_set.revision | string | `""` | |
+| _internal_defaults_do_not_set.replicaCount | string | `nil` | |
+| _internal_defaults_do_not_set.kind | string | `"Deployment"` | |
+| _internal_defaults_do_not_set.rbac.enabled | bool | `true` | |
+| _internal_defaults_do_not_set.serviceAccount.create | bool | `true` | |
+| _internal_defaults_do_not_set.serviceAccount.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.serviceAccount.name | string | `""` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/port" | string | `"15020"` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/scrape" | string | `"true"` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/path" | string | `"/stats/prometheus"` | |
+| _internal_defaults_do_not_set.podAnnotations."inject.istio.io/templates" | string | `"gateway"` | |
+| _internal_defaults_do_not_set.podAnnotations."sidecar.istio.io/inject" | string | `"true"` | |
+| _internal_defaults_do_not_set.securityContext | object | `{}` | |
+| _internal_defaults_do_not_set.containerSecurityContext | object | `{}` | |
+| _internal_defaults_do_not_set.service.type | string | `"LoadBalancer"` | |
+| _internal_defaults_do_not_set.service.ports[0].name | string | `"tcp-status-port"` | |
+| _internal_defaults_do_not_set.service.ports[0].port | int | `15021` | |
+| _internal_defaults_do_not_set.service.ports[0].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[0].targetPort | int | `15021` | |
+| _internal_defaults_do_not_set.service.ports[1].name | string | `"http2"` | |
+| _internal_defaults_do_not_set.service.ports[1].port | int | `80` | |
+| _internal_defaults_do_not_set.service.ports[1].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[1].targetPort | int | `8080` | |
+| _internal_defaults_do_not_set.service.ports[2].name | string | `"https"` | |
+| _internal_defaults_do_not_set.service.ports[2].port | int | `443` | |
+| _internal_defaults_do_not_set.service.ports[2].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[2].targetPort | int | `8443` | |
+| _internal_defaults_do_not_set.service.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.service.loadBalancerIP | string | `""` | |
+| _internal_defaults_do_not_set.service.loadBalancerSourceRanges | list | `[]` | |
+| _internal_defaults_do_not_set.service.externalTrafficPolicy | string | `""` | |
+| _internal_defaults_do_not_set.service.externalIPs | list | `[]` | |
+| _internal_defaults_do_not_set.service.ipFamilyPolicy | string | `""` | |
+| _internal_defaults_do_not_set.service.ipFamilies | list | `[]` | |
+| _internal_defaults_do_not_set.resources.requests.cpu | string | `"100m"` | |
+| _internal_defaults_do_not_set.resources.requests.memory | string | `"128Mi"` | |
+| _internal_defaults_do_not_set.resources.limits.cpu | string | `"2000m"` | |
+| _internal_defaults_do_not_set.resources.limits.memory | string | `"1024Mi"` | |
+| _internal_defaults_do_not_set.autoscaling.enabled | bool | `true` | |
+| _internal_defaults_do_not_set.autoscaling.minReplicas | int | `1` | |
+| _internal_defaults_do_not_set.autoscaling.maxReplicas | int | `5` | |
+| _internal_defaults_do_not_set.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
+| _internal_defaults_do_not_set.autoscaling.targetMemoryUtilizationPercentage | object | `{}` | |
+| _internal_defaults_do_not_set.autoscaling.autoscaleBehavior | object | `{}` | |
+| _internal_defaults_do_not_set.env | object | `{}` | |
+| _internal_defaults_do_not_set.strategy | object | `{}` | |
+| _internal_defaults_do_not_set.minReadySeconds | string | `nil` | |
+| _internal_defaults_do_not_set.readinessProbe | object | `{}` | |
+| _internal_defaults_do_not_set.labels."istio.io/dataplane-mode" | string | `"none"` | |
+| _internal_defaults_do_not_set.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.nodeSelector | object | `{}` | |
+| _internal_defaults_do_not_set.tolerations | list | `[]` | |
+| _internal_defaults_do_not_set.topologySpreadConstraints | list | `[]` | |
+| _internal_defaults_do_not_set.affinity | object | `{}` | |
+| _internal_defaults_do_not_set.networkGateway | string | `""` | |
+| _internal_defaults_do_not_set.image.repo | string | `"registry1.dso.mil/ironbank/opensource/istio/proxyv2"` | |
+| _internal_defaults_do_not_set.image.tag | string | `"1.25.0"` | |
+| _internal_defaults_do_not_set.imagePullPolicy | string | `""` | |
+| _internal_defaults_do_not_set.imagePullSecrets[0].name | string | `"private-registry"` | |
+| _internal_defaults_do_not_set.podDisruptionBudget | object | `{}` | |
+| _internal_defaults_do_not_set.terminationGracePeriodSeconds | int | `30` | |
+| _internal_defaults_do_not_set.volumes | list | `[]` | |
+| _internal_defaults_do_not_set.volumeMounts | list | `[]` | |
+| _internal_defaults_do_not_set.priorityClassName | string | `""` | |
+| _internal_defaults_do_not_set.enterprise | bool | `false` | |
+| _internal_defaults_do_not_set.tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
+| _internal_defaults_do_not_set.tidTag | string | `"1.25.0-tetratefips0"` | |
| mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
| networkPolicies.enabled | bool | `true` | |
| networkPolicies.additionalPolicies | list | `[]` | |
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 0b62eb7..a232c6a 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
name: gateway
description: Helm chart for deploying Istio gateways
type: application
-version: 1.23.3-bb.3
-appVersion: 1.23.3
+version: 1.25.0-bb.0
+appVersion: 1.25.0
sources:
- https://github.com/istio/istio
icon: https://istio.io/latest/favicons/android-192x192.png
@@ -13,4 +13,4 @@ keywords:
annotations:
bigbang.dev/maintenanceTrack: bb_integrated
bigbang.dev/upstreamReleaseNotesMarkdown: |
- - [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.23.2/announcing-1.23.2)
+ - [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.25.x/announcing-1.25)
diff --git a/chart/Kptfile b/chart/Kptfile
index 150e5f7..d11d943 100644
--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
upstream:
type: git
git:
- commit: 33af1b65afe2780bc2bc7c94ccd8a6f6281215e4
+ commit: 57e59c2e5d6b757a68d867491d9c9c09694e1522
repo: https://github.com/istio/istio
directory: /manifests/charts/gateway
- ref: 1.23.3
+ ref: 1.25.0
diff --git a/chart/files/profile-ambient.yaml b/chart/files/profile-ambient.yaml
index 22db033..2805fe4 100644
--- a/chart/files/profile-ambient.yaml
+++ b/chart/files/profile-ambient.yaml
@@ -15,6 +15,3 @@ pilot:
cni:
ambient:
enabled: true
-
-# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel
-variant: distroless
diff --git a/chart/files/profile-compatibility-version-1.22.yaml b/chart/files/profile-compatibility-version-1.22.yaml
index b091e2b..62420fe 100644
--- a/chart/files/profile-compatibility-version-1.22.yaml
+++ b/chart/files/profile-compatibility-version-1.22.yaml
@@ -6,7 +6,14 @@ pilot:
env:
# 1.23 behavioral changes
ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
-
+
+ # 1.24 behavioral changes
+ ENABLE_INBOUND_RETRY_POLICY: "false"
+ EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+ PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+ ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+ PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
meshConfig:
defaultConfig:
proxyMetadata:
@@ -14,3 +21,10 @@ meshConfig:
ENABLE_DEFERRED_CLUSTER_CREATION: "false"
# 1.23 behavioral changes
ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+ # 1.24 behaviour changes
+ ENABLE_DEFERRED_STATS_CREATION: "false"
+ BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"
+
+# Not present in <1.24, defaults to `true` in 1.25+
+ambient:
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-compatibility-version-1.23.yaml b/chart/files/profile-compatibility-version-1.23.yaml
new file mode 100644
index 0000000..6b636e6
--- /dev/null
+++ b/chart/files/profile-compatibility-version-1.23.yaml
@@ -0,0 +1,23 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+ env:
+ # 1.24 behavioral changes
+ ENABLE_INBOUND_RETRY_POLICY: "false"
+ EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+ PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+ ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+ PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # 1.24 behaviour changes
+ ENABLE_DEFERRED_STATS_CREATION: "false"
+ BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"
+
+# Not present in <1.24, defaults to `true` in 1.25+
+ambient:
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-compatibility-version-1.24.yaml b/chart/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000..a2dc354
--- /dev/null
+++ b/chart/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+ env:
+ # 1.24 behavioral changes
+ PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+ambient:
+ dnsCapture: false
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-demo.yaml b/chart/files/profile-demo.yaml
index 83b9d6b..d6dc36d 100644
--- a/chart/files/profile-demo.yaml
+++ b/chart/files/profile-demo.yaml
@@ -21,6 +21,22 @@ meshConfig:
opentelemetry:
port: 4317
service: opentelemetry-collector.observability.svc.cluster.local
+ - name: jaeger
+ opentelemetry:
+ port: 4317
+ service: jaeger-collector.istio-system.svc.cluster.local
+
+cni:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+ztunnel:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
global:
proxy:
@@ -28,6 +44,11 @@ global:
requests:
cpu: 10m
memory: 40Mi
+ waypoint:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
pilot:
autoscaleEnabled: false
diff --git a/chart/files/profile-platform-gke.yaml b/chart/files/profile-platform-gke.yaml
new file mode 100644
index 0000000..521bf1b
--- /dev/null
+++ b/chart/files/profile-platform-gke.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
diff --git a/chart/files/profile-platform-k3d.yaml b/chart/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000..cd86d9e
--- /dev/null
+++ b/chart/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+ cniBinDir: /bin
diff --git a/chart/files/profile-platform-k3s.yaml b/chart/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000..0782010
--- /dev/null
+++ b/chart/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+ cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/chart/files/profile-platform-microk8s.yaml b/chart/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000..57d7f5e
--- /dev/null
+++ b/chart/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/snap/microk8s/current/args/cni-network
+ cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/chart/files/profile-platform-minikube.yaml b/chart/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000..fa9992e
--- /dev/null
+++ b/chart/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniNetnsDir: /var/run/docker/netns
diff --git a/chart/files/profile-platform-openshift.yaml b/chart/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000..8ddc5e1
--- /dev/null
+++ b/chart/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ provider: "multus"
+pilot:
+ cni:
+ enabled: true
+ provider: "multus"
+seLinuxOptions:
+ type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/chart/files/profile-remote.yaml b/chart/files/profile-remote.yaml
new file mode 100644
index 0000000..d17b9a8
--- /dev/null
+++ b/chart/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+ enabled: true
+configMap: false
+telemetry:
+ enabled: false
+global:
+ # TODO BML maybe a different profile for a configcluster/revisit this
+ omitSidecarInjectorConfigMap: true
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 6ef392d..56a6f17 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -6,19 +6,8 @@
{{- end -}}
{{- end }}
-{{/*
-Create chart name and version as used by the helm.sh/chart label.
-*/}}
-{{- define "gateway.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
{{- define "gateway.labels" -}}
-helm.sh/chart: {{ include "gateway.chart" . }}
{{ include "gateway.selectorLabels" . }}
-app.kubernetes.io/name: {{ include "gateway.name" . }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- range $key, $val := .Values.labels }}
{{- if and (ne $key "app") (ne $key "istio") }}
{{ $key | quote }}: {{ $val | quote }}
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index 330dca0..bee05f3 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -4,6 +4,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
@@ -13,6 +15,13 @@ spec:
replicas: {{ . }}
{{- end }}
{{- end }}
+ {{- with .Values.strategy }}
+ strategy:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.minReadySeconds }}
+ minReadySeconds: {{ . }}
+ {{- end }}
selector:
matchLabels:
{{- include "gateway.selectorLabels" . | nindent 6 }}
@@ -26,7 +35,7 @@ spec:
{{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
{{- include "gateway.selectorLabels" . | nindent 8 }}
app.kubernetes.io/name: {{ include "gateway.name" . }}
- app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+ {{- include "istio.labels" . | nindent 8}}
{{- range $key, $val := .Values.labels }}
{{- if and (ne $key "app") (ne $key "istio") }}
{{ $key | quote }}: {{ $val | quote }}
@@ -72,7 +81,7 @@ spec:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
- {{- if not (eq .Values.platform "openshift") }}
+ {{- if not (eq (.Values.platform | default "") "openshift") }}
runAsUser: 1337
runAsGroup: 1337
{{- end }}
@@ -100,7 +109,11 @@ spec:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.volumeMounts }}
volumeMounts:
- {{ toYaml . | nindent 12 }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.readinessProbe }}
+ readinessProbe:
+ {{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
diff --git a/chart/templates/hpa.yaml b/chart/templates/hpa.yaml
index 1b0f936..64ecb6a 100644
--- a/chart/templates/hpa.yaml
+++ b/chart/templates/hpa.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
diff --git a/chart/templates/poddisruptionbudget.yaml b/chart/templates/poddisruptionbudget.yaml
index 77f71e7..b0155cd 100644
--- a/chart/templates/poddisruptionbudget.yaml
+++ b/chart/templates/poddisruptionbudget.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
spec:
selector:
diff --git a/chart/templates/role.yaml b/chart/templates/role.yaml
index c8a25cb..3d16079 100644
--- a/chart/templates/role.yaml
+++ b/chart/templates/role.yaml
@@ -6,6 +6,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
@@ -20,6 +22,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
diff --git a/chart/templates/service.yaml b/chart/templates/service.yaml
index 9177d2a..25ce3bc 100644
--- a/chart/templates/service.yaml
+++ b/chart/templates/service.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.networkGateway }}
topology.istio.io/network: "{{.}}"
diff --git a/chart/templates/serviceaccount.yaml b/chart/templates/serviceaccount.yaml
index e5b2304..c88afea 100644
--- a/chart/templates/serviceaccount.yaml
+++ b/chart/templates/serviceaccount.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
diff --git a/chart/templates/zzz_profile.yaml b/chart/templates/zzz_profile.yaml
index 2d0bd4a..ded66c5 100644
--- a/chart/templates/zzz_profile.yaml
+++ b/chart/templates/zzz_profile.yaml
@@ -15,15 +15,20 @@ However, we can workaround this by placing all of (1) under a specific key (.Val
We can then merge the profile onto the defaults, then the user settings onto that.
Finally, we can set all of that under .Values so the chart behaves without awareness.
*/}}
-{{- $globals := $.Values.global | default dict | deepCopy }}
-{{- $defaults := $.Values.defaults }}
-{{- $_ := unset $.Values "defaults" }}
+{{- if $.Values.defaults}}
+{{ fail (cat
+ "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+ ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
{{- $profile := dict }}
-{{- with .Values.profile }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
{{- $profile = (. | fromYaml) }}
{{- else }}
-{{ fail (cat "unknown profile" $.Values.profile) }}
+{{ fail (cat "unknown profile" .) }}
{{- end }}
{{- end }}
{{- with .Values.compatibilityVersion }}
@@ -33,11 +38,37 @@ Finally, we can set all of that under .Values so the chart behaves without aware
{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
{{- end }}
{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
{{- if $profile }}
{{- $a := mustMergeOverwrite $defaults $profile }}
{{- end }}
# Flatten globals, if defined on a per-chart basis
-{{- if false }}
-{{- $a := mustMergeOverwrite $defaults $globals }}
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }}
{{- end }}
{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 4c4f083..c43b8ef 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -60,6 +60,15 @@
"env": {
"type": "object"
},
+ "strategy": {
+ "type": "object"
+ },
+ "minReadySeconds": {
+ "type": [ "null", "integer" ]
+ },
+ "readinessProbe": {
+ "type": [ "null", "object" ]
+ },
"labels": {
"type": "object"
},
@@ -237,17 +246,6 @@
"Never"
]
},
- "imagePullSecrets": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "name": {
- "type": "string"
- }
- }
- }
- },
"podDisruptionBudget": {
"type": "object",
"properties": {
diff --git a/chart/values.yaml b/chart/values.yaml
index df29075..b39a675 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1,6 +1,6 @@
-# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally.
-# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`.
-defaults:
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
# Name allows overriding the release name. Generally this should not be set
name: ""
# revision declares which revision this gateway is a part of
@@ -84,8 +84,21 @@ defaults:
# Pod environment variables
env: {}
+ # Deployment Update strategy
+ strategy: {}
+
+ # Sets the Deployment minReadySeconds value
+ minReadySeconds:
+
+ # Optionally configure a custom readinessProbe. By default the control plane
+ # automatically injects the readinessProbe. If you wish to override that
+ # behavior, you may define your own readinessProbe here.
+ readinessProbe: {}
+
# Labels to apply to all resources
- labels: {}
+ labels:
+ # By default, don't enroll gateways into the ambient dataplane
+ "istio.io/dataplane-mode": none
# Annotations to apply to all resources
annotations: {}
@@ -104,7 +117,7 @@ defaults:
# Setting ironbank image
image:
repo: registry1.dso.mil/ironbank/opensource/istio/proxyv2
- tag: 1.23.3
+ tag: 1.25.0
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent
@@ -143,6 +156,7 @@ defaults:
#
podDisruptionBudget: {}
+ # Sets the per-pod terminationGracePeriodSeconds setting.
terminationGracePeriodSeconds: 30
# A list of `Volumes` added into the Gateway Pods. See
@@ -162,7 +176,7 @@ defaults:
# If enterprise is set to true FIPs Tetrate Image Distro images are used
enterprise: false
tidHub: registry1.dso.mil/ironbank/tetrate/istio
- tidTag: 1.23.3-tetratefips-v0
+ tidTag: 1.25.0-tetratefips0
mtls:
# -- STRICT = Allow only mutual TLS traffic,
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index c346b7b..ec7710b 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -4,14 +4,14 @@
1. Update via `kpt`:
```bash
# update to VERSION of the upstream chart auto-merging in changes
- kpt pkg update chart@1.23.2 --strategy alpha-git-patch
+ kpt pkg update chart@1.25.0 --strategy alpha-git-patch
```
Or if you'd like to pull down upstream to a fresh `DIR` and manually merge in the changes yourself:
```bash
# get a fresh VERSION of the upstream chart to DIR
- kpt pkg get "https://github.com/istio/istio.git/manifests/charts/gateway@1.23.2" ./fresh
+ kpt pkg get "https://github.com/istio/istio.git/manifests/charts/gateway@1.25.0" ./fresh
```
-1. Update version references for the Chart. `version` should be `<version>-bb.0` (ex: `1.22.2-bb.0`) and `appVersion` should be `<version>` (ex: `1.22.2`). Also validate that the BB annotation for the main Istio version is updated (leave the Tetrate version as-is unless you are updating those images).
+1. Update version references for the Chart. `version` should be `<version>-bb.0` (ex: `1.25.0-bb.0`) and `appVersion` should be `<version>` (ex: `1.25.0`). Also validate that the BB annotation for the main Istio version is updated (leave the Tetrate version as-is unless you are updating those images).
1. Add a changelog entry for the update. At minimum mention updating the image versions.
1. Update the readme following the [steps in Gluon](https://repo1.dso.mil/platform-one/big-bang/apps/library-charts/gluon/-/blob/master/docs/bb-package-readme.md).
1. Open MR (or check the one that Renovate created for you) and validate that the pipeline is successful. Also follow the testing steps below for some manual confirmations.
@@ -40,7 +40,12 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
```
## chart/templates/deployment.yaml
-- Added templating for Tetrate FIPs image integration lines 56-60.
+- Added templating for Tetrate FIPs image integration lines 65-67.
+```
+ {{- if .Values.enterprise }}
+ image: "{{ .Values.tidHub }}/{{ "proxyv2" }}:{{ .Values.tidTag }}"
+ {{- else }}
+```
- Modified the following section under `spec.template.spec.containers.ports` to suppress warnings from Kiali as the gateway deployment was not listening on the same ports as its associated service:
```
@@ -50,17 +55,87 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
name: {{ $ports.name }}
{{- end }}
```
+- Modified `spec.containers.image` away from using `auto` to speed up deployment
+```
+ image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}"
+```
## chart/values.yaml
-- Added enterprise boolean, tidHub and tidTag for Tetrate FIPs image integraton lines 157-160.
-- Prepended default `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
-- Added gateway which is used to pass down required values into `chart/templates/bigbang/gateway.yaml`.
+- Specified the `image` to use instead of using `auto`
+```
+ # Setting ironbank image
+ image:
+ repo: registry1.dso.mil/ironbank/opensource/istio/proxyv2
+ tag: 1.25.0
+```
+- Changed `imagePullSecrets` to `private-registry`
+```
+ imagePullSecrets:
+ - name: private-registry
+```
+
+- Added `defaults.enterprise` boolean, tidHub and tidTag for Tetrate FIPs image integraton around line 176.
+```
+ # If enterprise is set to true FIPs Tetrate Image Distro images are used
+ enterprise: false
+ tidHub: registry1.dso.mil/ironbank/tetrate/istio
+ tidTag: 1.25.0-tetratefips0
+```
+
+- Changed `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
+- Changed the `targetPort`s under `service.ports` from 80 and 443 to 8080 and 8443.
+
+
+- Added default gateway which is used to pass down required values into `chart/templates/bigbang/gateway.yaml`.
+```
+# Settings for istio gateway
+gateway:
+ servers:
+ - hosts:
+ - '*.dev.bigbang.mil'
+ port:
+ name: http
+ number: 8080
+ protocol: HTTP
+ tls:
+ httpsRedirect: true
+ - hosts:
+ - '*.dev.bigbang.mil'
+ port:
+ name: https
+ number: 8443
+ protocol: HTTPS
+ tls:
+ credentialName: public-cert
+ mode: SIMPLE
+```
+
- Added `networkPolicies` section to enable default network policies and allow custom additional network policies to be added.
-- Added the following `mtls` section to enable mutual TLS used in `chart/templates/bigbang/peerAuthentication.yaml`:
+```
+networkPolicies:
+ enabled: true
+ additionalPolicies: []
+```
+- Added the following `mtls` section to enable mutual TLS used in `chart/templates/bigbang/peerAuthentication.yaml`:
```
mtls:
# -- STRICT = Allow only mutual TLS traffic,
# PERMISSIVE = Allow both plain text and mutual TLS traffic
mode: STRICT
-```
\ No newline at end of file
+```
+
+## chart/templates/_helpers.tpl
+Replaced:
+```
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .) }}
+{{- else }}
+```
+...with...
+```
+{{- if .Values.serviceAccount.create }}
+{{- $defaultSericeAccount := printf "%s-%s" (include "gateway.name" .) "ingressgateway-service-account" -}}
+{{- .Values.serviceAccount.name | default $defaultSericeAccount }}
+{{- else }}
+```
--
GitLab